Relay usage dropped 9x when enabling UFW. What UFW rules do other relay operators enact?
Hello all,
I'm running relay 292FCACE773DC259B799914A23BE65A6A6178E8F and have noticed traffic drops when enabling UFW. Around 2024-01-15, I enabled UFW on this server. I noticed a 9x drop in traffic (10.88M -> 1.708M), and coughed it up to relay weirdness. This is about when my relays Guard status would randomly drop every few weeks. I finally got fed up with this huge drop in traffic on 2024-06-11 and was about to reinstall my server OS. This is when I decided to disable UFW and found that my traffic went back over a few days (2.215M -> 8.948M).
Here are my tor-related UFW rules; To Action From -- ------ ---- [ 3] 9001 ALLOW IN Anywhere [11] 9001 (v6) ALLOW IN Anywhere (v6)
I'm really confused how UFW firewalled most, but not all, of my relays traffic. What UFW rules do other relay operators enact?
Thanks, Likogan
This reminds me of Oracle Cloud and Ubuntu’s FW. It is known to have a conflict between both. You had to drop UFW and rely on Oracle’s VPS own firewall. Otherwise, many connections would not get through, if at all. As a personal recommendation, I’d stay far from Ubuntu.
On Dienstag, 18. Juni 2024 18:53:07 CEST admin--- via tor-relays wrote:
I have never used a frontend for IP/nftables. I have no idea what the scripts produce and whether they are correct. The beauty of UNIX/Linux are the human-readable config text files that you can comment on as you wish.
Here are my tor-related UFW rules; To Action From -- ------ ---- [ 3] 9001 ALLOW IN Anywhere [11] 9001 (v6) ALLOW IN Anywhere (v6)
I'm really confused how UFW firewalled most, but not all, of my relays traffic. What UFW rules do other relay operators enact?
Maybe you could post your entire FW ruleset. ((Use pastebin)
First, no output filters: :OUTPUT ACCEPT
Here are default IP/nftables rules for Tor relays: https://github.com/boldsuck/tor-relay-bootstrap/tree/master/etc/iptables https://github.com/boldsuck/tor-relay-bootstrap/blob/master/etc/nftables.con...
Here are my current nftables on my Frantech Exits: https://paste.systemli.org/?052a70208b22aebe#4b8qoJU9MrPgopfhm9HPxARTwXmWVkw...
You don't need to set up dynamic DDoS policies there. Francisco already does that on his Junipers.
tor-relays@lists.torproject.org
-
admin@likogan.dev -
boldsuck -
hellorelay